AI帮你理解科学

AI 生成解读视频

AI抽取解析论文重点内容自动生成视频


pub
生成解读视频

AI 溯源

AI解析本论文相关学术脉络


Master Reading Tree
生成 溯源树

AI 精读

AI抽取本论文的概要总结


微博一下
In this paper we present a broad, empirical analysis of Internet intrusion activity using a large set of NIDS and firewall logs collected over a four month period

Internet intrusions: global characteristics and prevalence

SIGMETRICS'08: Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Mo..., no. 1 (2003): 138-147

引用362|浏览40
EI
下载 PDF 全文
引用
微博一下

摘要

Network intrusions have been a fact of life in the Internet for many years. However, as is the case with many other types of Internet-wide phenomena, gaining insight into the global characteristics of intrusions is challenging. In this paper we address this problem by systematically analyzing a set of firewall logs collected over four mon...更多

代码

数据

0
简介
  • 4.1 The Worms

    the authors provide background information on the major Internet worms released over the last two years.
  • The authors first describe the major port 80 worms CodeRed I/II and Nimda.
  • This is important because port 80 scans still form the single most dominant group of scans accounting for nearly 20% 60% of all scans in any given day.
  • The release date for Nimda was Sep 18, 2001 and so the port 80 scans in the August 2001 dataset are exclusively CodeRed. The authors describe the SQL-Snake–a worm which affects Microsoft SQL Servers
重点内容
  • 4.1 The Worms

    we provide background information on the major Internet worms released over the last two years
  • We show that the less than a day and required countless hours to eradicate from distribution of source IP addresses of the non-worm intrusions systems
  • In this paper we present a broad, empirical analysis of Internet intrusion activity using a large set of NIDS and firewall logs collected over a four month period
  • We found daily intrusion activity as seen in our data to be highly variable ranging from between about 1M to 3M scans per day
  • We find that while 60-70% of all non-worm scans are horizontal scans, the daily number of horizontal scan episodes is typically lower than vertical scan episodes
  • We find total intrusion activity to be as high as 25B per day and that non-port 80 scans increased by approximately 25% over our measurement period
结论
  • SUMMARY AND CONCLUSION

    In this paper the authors present a broad, empirical analysis of Internet intrusion activity using a large set of NIDS and firewall logs collected over a four month period.
  • The authors found daily intrusion activity as seen in the data to be highly variable ranging from between about 1M to 3M scans per day.
  • The authors' breakdown of scan types shows the predictably large amount of worm activity, and a large amount of scanning directed toward ports other than 80.
  • The authors find total intrusion activity to be as high as 25B per day and that non-port 80 scans increased by approximately 25% over the measurement period
表格
  • Table1: Sample log entries from DSHIELD portscan logs
  • Table2: Monthly summary of studied DSHIELD logs
Download tables as Excel
相关工作
  • The work by Moore et al is motivated by the question, “how prevalent are denial-of-service attacks in the Internet today?” [17]. Our work is similar in spirit although we address the general question of intrusions and are not specifically focused on DoS activity. Staniford et al report on recent worm activity (Code Red, Nimda) in [23] and project the possibilities of much more serious worm threats in the future. Cowie et al present a different perspective on the same work by examining hour long periods of “widespread instabilities” in global BGP system in July and September of 2001 [5]. They describe the idea of “worm induced traffic diversity” that is unlike other normal traffic experienced by routers and is the primary cause of the BGP instabilities.

    Our work has implications in development and configuration of network intrusion detection systems. Many such systems have been developed and deployed (eg. [18, 19]). The standard approach for recognizing an intrusion is to create
基金
  • The dataset was obtained from DSHIELD.ORG – a research effort funded by SANS Institute as part of its Internet Storm Center
引用论文
  • George Bakos. SQLsnake code analysis. http://www.incidents.org/diary/diary.php?− id=157, 2002.
    Findings
  • Paul Barford, Azer Bestavros, John Byers, and Mark Crovella. On the marginal utility of network topology measurements. In Proceedings of ACM SIGCOMM Internet Measurement Workshop, San Francisco, CA, November 2001.
    Google ScholarLocate open access versionFindings
  • CAIDA. CodeRed Worms a Global Threat. http://www.caida.org/analysis/security/code − red/, 2001.
    Findings
  • CERT Coordination Center. http://www.cert.org, 2001.
    Findings
  • James Cowie, Andy T. Ogielski, BJ Premore, and Yougu Yuan. Global Routing Instabilities Triggered by CodeRed II and Nimda Worm Attacks. http://www.renesys.com/projects/bgp instability, 2001.
    Findings
  • Frederic Cuppens and Alexandre Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of IEEE Symposium on Security and Privacy, 2002.
    Google ScholarLocate open access versionFindings
  • Kevin Van Dixon. Spoof bounce. http://rr.sans.org/intrusion/spoof.php, 2001.
    Findings
  • Michalis Faloutsos, Petros Faloutsos, and Christos Faloutsos. On power-law relationships of the internet topology. In Proceedings of ACM SIGCOMM, 1999.
    Google ScholarLocate open access versionFindings
  • Robert Gray. Entrophy and Information Theory. Springer-Verlag, 1990.
    Google ScholarFindings
  • HoneyNet Project. Know Your Enemy: Honeynets. http://project.honeynet.org, 2001.
    Findings
  • Brad Huffaker, Andre Broido, Kim Claffy, Marina Fomenkov, Sean McCreary, David Moore, and Oliver Jakubiec. Visualizing internet topology at a macrosocopic scale. http://www.caida.org/− analysis/topology/as core network/about.xml/, 2001.
    Findings
  • Eeye Security Inc. Microsoft IIS Buffer Overflow Advisory. http://www.eeye.com/html/− Research/Advisories/AD20010618.html, 2001.
    Findings
  • Richard Lippmann, David J. Fried, Isaac Graf, Joshua W. Haines, Kristopher R. Kendall, David McClung, Dan Weber, Seth E. Webster, Dan Wyschogrod, Robert K. Cunningham, and Marc A. Zissman. Evaluating Intrusion Detection systems: 1998 DARPA Off-line Intrusion Detection Evaluation. In Proceedings of IEEE Security Symposium, 1998.
    Google ScholarLocate open access versionFindings
  • McAfee. Virus alert. http://vil.nai.com/vil/content/v 9949.htm, 2002.
    Findings
  • David Meyer. University of Oregon Route Views Project. http://antc.uoregon.edu/route − views/, 2002.
    Findings
  • David Moore. Network Telescopes: Observing Small or Distant Security Events. http://www.caida.org/− outreach/presentations/2002/usenix sec/, 2002.
    Findings
  • David Moore, Goeffrey Voelker, and Stefan Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, 2001.
    Google ScholarLocate open access versionFindings
  • Vern Paxson. BRO: A System for Detecting Network Intruders in Real Time. In Proceedings of the 7th USENIX Security Symposium, 1998.
    Google ScholarLocate open access versionFindings
  • Marty Roesch. The SNORT Network Intrusion Detection System. http://www.snort.org, 2002.
    Findings
  • Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson. Practical Network Support for IP Traceback. In Proceedings of ACM SIGCOMM, 2000.
    Google ScholarLocate open access versionFindings
  • Alex Snoeren, Craig Partridge, Luis Sanchez, Christine Jones, Fabrice Tchakountio, and Stephen Kent. Hash Based IP Traceback. In Proceedings of ACM SIGCOMM, 2001.
    Google ScholarLocate open access versionFindings
  • Stuart Staniford, James Hoagland, and Joseph McAlerney. Practical Automated Detection of Stealthy Portscans. In Journal of Computer Security, 2002.
    Google ScholarLocate open access versionFindings
  • Stuart Staniford, Vern Paxson, and Nicholas Weaver. How to Own the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium, 2002.
    Google ScholarLocate open access versionFindings
  • Johannes Ullrich. DSHIELD. http://www.dshield.org, 2000.
    Findings
  • Johannes Ullrich. MSSQL worm (sqlsnake) on the rise. http://www.incidents.org/diary/diary.php?− id=156, 2002.
    Findings
  • Yin Zhang and Vern Paxson. Detecting Stepping Stones. In Proceedings of the 9th USENIX Security Symposium, 2000.
    Google ScholarLocate open access versionFindings
  • G. Zipf. Human Behavior and the Principle of Least-Effort. Addison-Wesley, Cambridge, MA, 1949.
    Google ScholarFindings
0
您的评分 :

暂无评分

标签
评论
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn